[Samba] Correct NTP Settings for Samba 4.0.6?
Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki (https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Robert Gurdon sandbox...@gmail.com To: Andrew Martin amar...@xes-inc.com Sent: Saturday, July 27, 2013 7:02:51 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Yo, Could you attach your ntp log when you start/restart it? Robert 2013-07-27 08:26 keltezéssel, Andrew Martin írta: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki (https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew -- Kind regards: Robert Robert, Sure, thanks for the help. Here are log messages when I restart ntpd: Jul 27 09:14:02 dc1 ntpd[30565]: ntpd exiting on signal 15 Jul 27 09:14:04 dc1 ntpd[5957]: ntpd 4.2.6p3@1.2290-o Tue Jun 5 20:12:08 UTC 2012 (1) Jul 27 09:14:04 dc1 ntpd[5958]: proto: precision = 0.345 usec Jul 27 09:14:04 dc1 ntpd[5958]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 1 v6wildcard :: UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 3 eth0 192.168.0.102 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 4 eth0 192.168.0.221 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 5 eth0 fe80::5054:ff:fece:1e3b UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 6 lo ::1 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: peers refreshed Jul 27 09:14:04 dc1 ntpd[5958]: Listening on routing socket on fd #23 for interface updates Jul 27 09:14:04 dc1 ntpd[5958]: MS-SNTP signd operations currently block ntpd degrading service to all clients. The ntp_signd directory is empty: root@dc1:/# ls -l /var/run/samba/ntp_signd total 0 root@dc1:/# ls -l /var/run/samba/ | grep ntp drwxr-x--- 2 ntp ntp 40 Jul 8 16:40 ntp_signd Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Slow Performance
Dear all, After using samba 3 for two years, I have just spent totally one week finishing setting up a samba 4 file system in my working school. There are about 200 computers, 80+ staff, 1000 students and 10 printers. The AD was properly setup, mandatory profile and one GPO policy (which is printer download trust) is effective for all users. Logon script is for mapping four shares and 10 printers from the file server. Also, I have setup two additional DCs (with AD replication and DHCP server) for two other subnets in the hope to speed up the logon process. The benefits of Samba 4 are clear: more robust file serving (supporting the windows ACL), speedy printing (with the help of point and printer driver) and administration of AD through with windows remote admin tool. However, logon speed is just far from good. In the days of Samba 3.6, users can logon the system within 20 seconds, even with more than 80 users logon in the same time (two classes students login during computer lesson). Now, with only one user logging in (who is me), it takes nearly 60 seconds to do the logon. I have tried disabling drive and printer mapping in logon script and applying a registry hack (note 1) shorten the profile waiting time in windows 7 client side but it makes no difference in logon speed. I have taken a look on the document in sambaXP 2013: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf and two thread in samba-technical mailing list: https://lists.samba.org/archive/samba-technical/2013-January/089755.html https://lists.samba.org/archive/samba-technical/2013-May/092332.html It seems that samba team is doing some great work in spotting the unindexed search in LDB as one of block in performance. Certainly, I can wait for the new version 4.0.X for the boost of performance. However, I am in deep panic when lessons are going to be launched on 1st September 2013 here in Hong Kong. Are there any patches so that I can a hot / dirty fix? Thanks for attending. Kinglok, Fong Note: Set maximum wait time for the network if a user has a roaming to 1 (setting it to 0 will default it to 30 seconds) and Startup policy processing wait time... to 1 signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew Thomas, Adding that parameter to the smb.conf file, as well as removing the ntp_signd directory so that samba itself could create it appears to have worked: root@dc0:/# ls -l /var/run/samba/ntp_signd/ total 0 srwxrwxrwx 1 root root 0 Jul 27 11:41 socket I also needed a few extra lines in ntp.conf, otherwise the Windows client would fail with the error The computer did not resync beacuse no time data was available: server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server 3.us.pool.ntp.org server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Do the Windows clients prefer ntp information from the DHCP lease, or from the DC that they are connected to? My DHCP configuration currently is using an old NTP server until I get Samba4's NTP up and running. Thus, when I run w32tm /query /source on the
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew Thomas, Adding that parameter to the smb.conf file, as well as removing the ntp_signd directory so that samba itself could create it appears to have worked: root@dc0:/# ls -l /var/run/samba/ntp_signd/ total 0 srwxrwxrwx 1 root root 0 Jul 27 11:41 socket I also needed a few extra lines in ntp.conf, otherwise the Windows client
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 73a9e6a selftest: Print error message when smbd does not have ADS support from f908e6b nsswitch: Add OPT_KRB5CCNAME to avoid an error message. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 73a9e6a73b3508fd689a18c72d0f5574f2fecf91 Author: Christof Schmitt christof.schm...@us.ibm.com Date: Wed Jul 3 12:49:43 2013 -0700 selftest: Print error message when smbd does not have ADS support When smbd cannot be compiled with ADS support, setting up the s3member environment fails with: samba: using 'standard' process model Samba can't provide environment 's3member' at /test/samba/selftest/target/Samba.pm line 44. Can't use string (UNKNOWN) as a HASH ref while strict refs in use at /test/samba/selftest/selftest.pl line 852. samba: EOF on stdin - terminating Add an explicit error message for the missing ADS support to make this easier to debug and also avoid the warning about the hash reference: samba: using 'standard' process model Samba can't provide environment 's3member' at /test/samba/selftest/target/Samba.pm line 44. Unable to setup environment s3member at /test/samba/selftest/selftest.pl line 851. smbd does not have ADS support samba: EOF on stdin - terminating Signed-off-by: Christof Schmitt christof.schm...@us.ibm.com Reviewed-by: Andreas Schneider a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sat Jul 27 08:31:14 CEST 2013 on sn-devel-104 --- Summary of changes: selftest/selftest.pl |4 +++- selftest/target/Samba3.pm |1 + 2 files changed, 4 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/selftest.pl b/selftest/selftest.pl index cc947a1..b60b762 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -847,7 +847,9 @@ if ($opt_testenv) { my $testenv_vars = setup_env($testenv_name, $prefix); - die(Unable to setup environment $testenv_name) unless ($testenv_vars); + if (not $testenv_vars or $testenv_vars eq UNKNOWN) { + die(Unable to setup environment $testenv_name); + } $ENV{PIDDIR} = $testenv_vars-{PIDDIR}; $ENV{ENVNAME} = $testenv_name; diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 26f5e92..20587bf 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -25,6 +25,7 @@ sub have_ads($) { close IN; # If we were not built with ADS support, pretend we were never even available + print smbd does not have ADS support\n unless $found_ads; return $found_ads; } -- Samba Shared Repository